The company's response comes as security firm Check Point alleges that LinkedIn is vulnerable to the same kind of attack that hit Facebook, causing worry that ransomware distributors may have tapped two extremely large pools of potential victims.

The story kicked off with a blog post on Nov. 20 from Bart P., a PwC threat intelligence researcher, who spotted a campaign spreading malicious image files through Facebook's Messenger. The files had a ".svg" suffix, which stands for scalable vector graphics.

The XML-based format allows images to retain their quality regardless of how
they're manipulated. But it also allows for other embedded active content including
JavaScript, which holds the potential for trouble.

If someone clicked on the .svg file received through Facebook, it's downloaded to a computer. If opened, the file launches a browser window that shows a fake YouTube website, Bart P. writes. That site shows a message that encourages victims to download a codec that is supposedly needed to view a video.

Actually, the file leads to a bogus Chrome extension that acted as a worm, harvesting data from someone's Facebook contacts and spreading through Messenger.

But there are indications that the .svg file didn't always try to get people to run a dodgy extension. Peter Kruse, founder of CSIS Security Group in Denmark, wrote that one test showed the .svg file was actually Nemucod, which is a malicious downloader. If Nemucod was downloaded, it would then deliver the Locky ransomware.

Some observers took issue with Kruse's analysis, writing their tests showed only the malicious Chrome extensions were delivered. But Kruse wrote on Twitter that the .svg files actually had varied payloads. Sometimes the payload was the questionable Chrome extension, called Udo, while others delivered Locky.

Locky is one of the top ransomware families, named after its behavior of adding .locky to files it encrypts. Users are typically asked to pay between .5 to 1 bitcoin (US$315 to $730) to decrypt their files (see Retooled Locky Ransomware Pummels Healthcare Sector).

Check Point Weighs In

A few days after Bart P.'s blog post, Check Point claimed to have discovered the attack vector used against Facebook, saying it also affects LinkedIn.

Check Point dubbed the attack ImageGate, claiming that attackers had "built a new capability to embed malicious code into an image file and successfully upload it to the social media website."

"In the past week, the entire security industry is closely following the massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign," Check Point writes.

The company writes that it's waiting for Facebook and LinkedIn to adjust their defenses before providing more technical detail. But Check Point did publish a video demonstration showing what it says is a successful ransomware attack conducted via Facebook. However, the method differs somewhat from what is described by Bart P.

The attack is launched over Facebook's Messenger. But instead of sending a .svg file, it uses a .hta one, which is a file extension designating an HTML application. The video shows that user would have to click on the file and save it before ransomware runs.

Facebook says Check Point's blog post doesn't describe the issue posed by Bart P., even though the company portrays it as the same.

"This analysis is incorrect," Facebook says in a statement. "There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook."

Check Point contends it is using essentially the same method as spotted by Bart P. in order to infect someone with ransomware. However, Facebook is investigating the issue raised by Check Point, which would only appear to affect people using Firefox.

It's unclear from Check Point's blog post how the attack affected LinkedIn. Officials with LinkedIn, which is owned by Microsoft, couldn't be reached.

A Locky Break?

Since the posts from Bart P. and Check Point, Facebook analysts have found no evidence that ransomware has been successfully spread. Following Bart P.'s post, Facebook blocked and reported the bad Chrome extensions to Google.

Facebook has defenses in place to prevent the distribution of malicious code through Messenger. But attackers are always testing new methods to try and get past the filters. A large-scale outbreak of ransomware on either Facebook or LinkedIn would be notable but unlikely to last very long, as both companies would move quickly to shore up their systems.

Also, the attacks as described rely on heavy user interaction. In Bart P.'s example, users would have to click several times before the malicious code extension is installed. Check Point's demo has victims clicking twice: once to view a file sent over Messenger and then a second time to save it to a computer.

Of course, the benefit of abusing Facebook and LinkedIn is that users usually blindly trust whatever is sent to them, particularly if it appears to come from a trusted contact.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.